2012-02-21 - Re: [GRASE-Hotspot] Firewall recommendations

Header Data

From: tim storey <ts***s@yahoo.com>
Message Hash: 9f66d5710cba8bc10e6ede3150c2f493e6ecf81373e1b100039ab2f93ad3419c
Message ID: <1329815486.18433.YahooMailNeo@web161403.mail.bf1.yahoo.com>
Reply To: <4F42B118.6090605@gmail.com>
UTC Datetime: 2012-02-21 02:11:26 UTC
Raw Date: Tue, 21 Feb 2012 01:11:26 -0800

Raw message

I have had a worm launch spam attacks from within my network. My ISP is requesting that I do something about it or else I will be blacklisted and shut down.

Blocking port 445 worked for a few hours, but then the same worm simply used a different port to do the thing again.

My customer base is made up largely of students who have absolutely no concept of security - their laptops are positively crawling with viruses/malware. I do the best I can to educate them, but it largely falls on deaf ears.

I want to be able to allow unrestricted web access (I do not have a mail server, nor do I wish to have one), but I realise that I have to make certain restrictions to protect other web users as well as myself.

Endian firewall (community version) offers web antivirus and web antispam filtering. This makes a lot of sense to my situation, even if I have to sacrifice a little speed, unless you can give me a definitive set of iptables rules which will accomplish the same thing.

The rules you demonstrate below seem like they would suit me fine, but I need to know whether they would be effective in locking out a determined bit of malware (given the malware soup on my customer laptops).

Thanks.




    I run Grase via VirtualBox.

Lately I've been having some recurring security issues and I was wondering whether I should install something like pfsense (also in a VM)...
>Does anyone have suggestions or noteworthy comments about this?
Can you give us some examples of what you want to do? Yes, by
    default your authenticated users can do a lot on the internet
    through the Hotspot. But it is very easy to lock down.
i.e. remove the following line from the bottom of ipup.sh `ipt -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE` and modify it to do what you want. So for example, if you only want a few protocols to be permitted, then create a line for each protocol/port.
i.e. for HTTPS and IMAPS
ipt -I POSTROUTING -t nat -o $HS_WANIF --dport 443 -j MASQUERADE
ipt -I POSTROUTING -t nat -o $HS_WANIF --dport 993 -j MASQUERADE

You should find that port 80 is taken care of by other rules.

Adding in something like pfsense can create more complexity than you
    may find beneficial. And if it also does NAT, then you may find you
    end up triple NATing your users.

Tim

Thread